MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e41dcbef535020f52b2e3ebe16a6b33dacc3b840d67eda323143edf5c4180c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e41dcbef535020f52b2e3ebe16a6b33dacc3b840d67eda323143edf5c4180c1
SHA3-384 hash: 8133e4d82a9ed92d95ea204bb6617cf6f3815bc5a2e8e2930a5d9c5ed40c2e225c13f576b48c896546f67a0303912f99
SHA1 hash: 05f69eb8f599f0080041ec683fc6f7f3278929a6
MD5 hash: 6c4fcdbb5907149d45b668e0f5d0bf4f
humanhash: spaghetti-eight-mississippi-mike
File name:Piquardo May Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:717'824 bytes
First seen:2020-05-01 14:42:31 UTC
Last seen:2020-05-01 15:55:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 6144:og5JHngBgeFAFOeFAlekpYBp0poFJMCM6E+0GmR6ognb/A8OruMvFA:3JgBgzFOzkap7qEkmREA8s7FA
Threatray 10'620 similar samples on MalwareBazaar
TLSH 5FE47E3F7A886805D03D49B154999A903276A6C73E02CB5F39C9A7ACBF423CE3B4535D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: Piquadro.com
Sending IP: 103.145.253.9
From: Serena Vanzini <info@Piquadro.com >
Subject: Ordine 2002149 GINLAI for GM S115
Attachment: Piquardo May Order.gz (contains "Piquardo May Order.exe")

AgentTesla FTP exfil server:
ftp.scandinavian-collection.com:21

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.3885.23387.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 13:37:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
23 of 30 (76.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hza5zpxvguba6uvs4pv6c2tlgpnmyo4ebvt63izdcq7n6xcbqdaq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
180624a2fc01585360e3cdb233e251a090aa58e3c85ed5cffd9c68a09d0572e1
AgentTesla
18a5178de990ef6576ad3f27c3cab154b089322376d6da8921fded3ff953e70b
AgentTesla
1bd2167a8fcbf887fef44678673db17761bb421b8f3b5144a2fb942d5f80ad95
AgentTesla
61a586fb831e8dfaa70ec78a1c33bb32a979dca1af2be35b369d4ee05e1b114a
AgentTesla
6cb568b75854eb996f64f7d5a611460a6724d3cf831c3c5065c0bb17ec1b59f4
AgentTesla
77c269f8f12229c089a6204579da3f3bb6f9f1c376bbced3851df606e30051aa
AgentTesla
89aa23d93dbd6a5f3f4840ac1b63dc5b8f260d4eafc0dd78ae8c5254ab03638c
AgentTesla
8ad69f7487e5a7b06d3c9b12d4fdbf6604462f90ddc2e1986dd61eaf8427e724
AgentTesla
e4a2f0fc57afb3f08bc128e0653b8c8d82651cf292687a89e9b7cad50b801376
AgentTesla
e63f387576728aa5b18cc7a2514cb3b45df942d0610af58ff38a72a7b3945b1f
AgentTesla
+ 10'610 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz d078bf9d5ce9d3dae8699421fe2244882ed4fce80dd7bff28cdca160b97a5a33

AgentTesla

Executable exe 3e41dcbef535020f52b2e3ebe16a6b33dacc3b840d67eda323143edf5c4180c1

(this sample)

  
Dropped by
MD5 83a412ba4881fbcd113c90b492ba1142
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d078bf9d5ce9d3dae8699421fe2244882ed4fce80dd7bff28cdca160b97a5a33

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments